# ─────────────────────────────────────────────────────────────────────────
# Secrets, credentials & anything that identifies or endangers the operator's
# infrastructure. NEVER commit. The app reads credentials from environment
# variables only (vault-injected at runtime); nothing secret lives in files.
# ─────────────────────────────────────────────────────────────────────────

# Generic secret/credential files
.env
.env.*
*.env
secrets.json
secrets.yaml
secrets.yml
credentials
credentials.json
*.token
*.secret

# Vault linkage — workspace identifier kept out of a PUBLIC repo on purpose
# (created locally by 'infisical init'; CI uses GitHub secrets, not Infisical).
.infisical.json

# Exoscale / cloud credentials
# EXOSCALE_API_KEY / EXOSCALE_API_SECRET must come from the environment.
exoscale.toml
.exoscale/
.aws/
.boto

# Keys & certificates
*.pem
*.key
*.p12
*.pfx
*.crt
*.cer
id_rsa
id_rsa.pub
id_ed25519
id_ed25519.pub
id_dsa
*.ppk

# Kubernetes configs
*.kubeconfig
kubeconfig
.kube/

# Terraform / IaC state & vars
*.tfvars
*.tfstate
*.tfstate.*
.terraform/

# Logs may capture request URLs, zone/account identifiers, resource names —
# keep them local.
*.log

# Local-only working notes (handover, review logs) — never belong in a PUBLIC
# repo; they may reference infrastructure or vault details.
HANDOVER.md
*.local.md
*.local.txt

# ─────────────────────────────────────────────────────────────────────────
# Build / cache / environment — not harmful, just noise.
# ─────────────────────────────────────────────────────────────────────────
__pycache__/
*.py[cod]
*.egg-info/
build/
dist/
.eggs/

.venv/
venv/
env/

.pytest_cache/
.mypy_cache/
.ruff_cache/
.coverage
coverage.xml
htmlcov/

# IDE / editor
.idea/
.vscode/
*.swp
*.swo
*~

# OS
.DS_Store
Thumbs.db
